Monday, 9 November 2015

Exchange 2013/2016 - Can you delete the self signed certificate?

In this post, we’ll set out to answer the question of whether or not you should delete the self signed SSL certificate on Exchange 2013/2016 that is installed when you install Exchange.

Exchange Default Certificates

First, we’ll do some investigation on what certificates are installed by default with Exchange.In this test lab, we have an Exchange 2013 multirole server called litex01 and an Exchange 2016 multirole server called litex02. Both servers are in the same domain which is litwareinc.com.Litex02 is a new install of Exchange and has the default certificates and certificate settings. Below we can see a list of certificates that were installed as part of the Exchange install.Get-ExchangeCertificate | flBoth certificates are self signed but only one shows as having a start date on the date that the Exchange server was installed (26/10/2015). The other has a start date from before Exchange was installed. See below:Both of these certificates are valid for 5yrs.When looking at these dates the certificate issued by LITEX02 was installed on the day Exchange 2016 was installed but the other certificate was installed well before even the OS was deployed. In fact, it was installed on the day that Exchange was installed on LITEX01 which is 25/09/2015.When digging a bit deeper, the Microsoft Exchange Server Auth Certificate is the same on both servers. See below where you can see the thumbprint, start and end dates and the serial number are the same:Get-ExchangeCertificate -Server litex01 | ? {$_.Subject -eq "CN=Microsoft Exchange Server Auth Certificate"} | flGet-ExchangeCertificate -Server litex02 | ? {$_.Subject -eq "CN=Microsoft Exchange Server Auth Certificate"} | fl

What happens when you delete the self-signed certificate?

At this point you may be thinking that’s all great but surely I can just get a certificate from a public CA and just assign all the services to it and be done with the certificate. To test this, I’ve replaced the self-signed certificate on LITEX01. The outcome is that all is working fine (OWA, ECP, Outlook RPC/HTTP, Outlook MAPI/HTTP, internal and external mail flow etc) but you will now get event ID 12014 logged in the application event log. Many times they are just ignored by administrators but we’ll take a look at them today.Each event is reporting that Exchange couldn’t find a certificate that matches the name litex01.litewareinc.com. This is expected as it’s been deleted and the name is no longer on any certificate. Note that each event is reporting the error for a different connector.Log Name: ApplicationSource: MSExchangeFrontEndTransportDate: 01/11/2015 22:41:53Event ID: 12014Task Category: TransportServiceLevel: ErrorKeywords: ClassicUser: N/AComputer: litex01.litwareinc.comDescription:Microsoft Exchange could not find a certificate that contains the domain name litex01.litwareinc.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Inbound Proxy Internal Send Connector with a FQDN parameter of litex01.litwareinc.com. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.Source: MSExchangeFrontEndTransportDate: 01/11/2015 22:20:29Event ID: 12014Task Category: TransportServiceLevel: ErrorKeywords: ClassicUser: N/AComputer: litex01.litwareinc.comDescription:Microsoft Exchange could not find a certificate that contains the domain name litex01.litwareinc.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Client Frontend LITEX01 with a FQDN parameter of litex01.litwareinc.com. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.Log Name: ApplicationSource: MSExchangeFrontEndTransportDate: 03/11/2015 18:57:52Event ID: 12014Task Category: TransportServiceLevel: ErrorKeywords: ClassicUser: N/AComputer: litex01.litwareinc.comDescription:Microsoft Exchange could not find a certificate that contains the domain name litex01.litwareinc.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default Frontend LITEX01 with a FQDN parameter of litex01.litwareinc.com. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.Source: MSExchangeTransportDate: 03/11/2015 23:44:13Event ID: 12014Task Category: TransportServiceLevel: ErrorKeywords: ClassicUser: N/AComputer: litex01.litwareinc.comDescription:Microsoft Exchange could not find a certificate that contains the domain name litex01.litwareinc.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default LITEX01 with a FQDN parameter of litex01.litwareinc.com. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.Log Name: ApplicationSource: MSExchangeTransportDate: 03/11/2015 23:38:30Event ID: 12014Task Category: TransportServiceLevel: ErrorKeywords: ClassicUser: N/AComputer: litex01.litwareinc.comDescription:Microsoft Exchange could not find a certificate that contains the domain name litex01.litwareinc.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Intra-Organization SMTP Send Connector with a FQDN parameter of litex01.litwareinc.com. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.Log Name: ApplicationSource: MSExchangeTransportSubmissionDate: 03/11/2015 23:29:40Event ID: 12014Task Category: TransportServiceLevel: ErrorKeywords: ClassicUser: N/AComputer: litex01.litwareinc.comDescription:Microsoft Exchange could not find a certificate that contains the domain name litex01.litwareinc.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Mailbox Proxy Send Connector with a FQDN parameter of litex01.litwareinc.com. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.We have TLS certificate errors for the below connectors:

Inbound Proxy Internal Send Connector

Client Frontend LITEX01

Default Frontend LITEX01

Default LITEX01

Intra-Organization SMTP Send Connector

Mailbox Proxy Send Connector

As our domain ends in .com, it is quite straight forward for us to add litex01.litwareinc.com to the certificate from the public CA but this is not going to work in each situation as many domains end in .local which means that the name can no longer be added to certificates from public CAs. So, this is not going to help us.Perhaps we can look at changing the FQDN on each of the connectors which have an issue. If we list the receive connectors on litex01, we get the below:Get-ReceiveConnector -Server litex01and if we list the send connectors, we can see the below:We now just have a little problem - where is the Inbound Proxy Internal Send Connector? In fact, there are quite a few connectors that are reporting errors and we are unable to change the FQDN on them because they are actually not visible and cannot be configured. Exchange relies on this self-signed certificate.The conclusion therefore is not to delete the self signed certificate as it causes some errors that cannot be resolved without recreating the certificate. If you’ve already deleted your self-signed certificate, you can follow the instructions to recreate it here.